Cybercriminals are currently spamvertising with IRS (Internal Revenue Service) themed emails, enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Spamvertised subject:Your tax return appeal is declined

Spamvertised message:Dear Chief Account Officer, Hereby you are notified that your Income Tax Refund Appeal id#9056219 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit yo ur appeal by using the instructions in the attachment.

Malicious attachment:IRS_H11832502.htm

Malicious iFrame URL found in the attachment: hxxp://dporooppasoodajhsjs.ru:8080/images/aublbzdni.php

Upon successful client-side exploitation, the campaign drops MD5: 972c89c5114fae66595e5d3e3817e746 – detected by 32 out of 42 antivirus scanners as Worm:Win32/Cridex.B from hxxp://xsopiisvvajushgd.ru:8080/images/jw.php?i=8.

It then phones back to hxxp://usepaxvulfdtnwiwwk.ru:8080/rwx/B1_3n9/in/ (178.162.154.214) and hxxp://nolwzyzsqkhjkqhomc.ru:8080/rwx/B1_3n9/in/ (88.190.22.72).

What’s particularly interesting about this campaign is that the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down.

[…] The Russian domains are fast-fluxed by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following campaingn – “Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malwar…“. […]